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Abstract 

We provide a computer verified exact monadic functional implementation of the 
Riemann integral in type theory. Together with previous work by O'Connor, 
this may be seen as the beginning of the realization of Bishop's vision to use 
constructive mathematics as a programming language for exact analysis. 



1. Introduction 

Integration is one of the fundamental techniques in numerical computation. 
However, its implementation using floating point numbers requires continuous 
effort on the part of the user in order to ensure that the results are correct. 
This burden can be shifted away from the end-user by providing a library of 
exact analysis in which the computer handles the error estimates. For high 
assurance we use computer verified proofs that the implementation is actually 
correct; see [GNSWOT] for an overview. It has long been suggested that by 
using constructive mathematics exact analysis and provable correctness can be 
unified [Bis671 IBis70| . Constructive mathematics provides a high level frame- 



work for specifying computations (Section 2.1). However, Bishop |Bis67| p. 357 
writes: 

As written, this book is person-oriented rather than computer- 
oriented. It would be of great interest to have a computer- oriented 
version. Without such a version, it is hard to predict with any confi- 
dence what form computer- oriented abstract analysis will eventually 
assume. A thoughtful computer-oriented presentation should uncover 
many interesting phenomena. 

Our aim is to provide such a presentation for Riemann integration. In fact, 
we provide much more. We provide an implementation in dependent type the- 



ory (Section 2.2). Type theory is a formal framework for constructive mathe- 
matics |ML98[ IML821 INPS90| . It supports the development of formal proofs, 
while, at the same time, being an efficient functional programming language 
with a dependent type system. We use the Coq |Tea081 IBC04j proof assis- 
tant, which is an implementations of the Calculus of Inductive Constructions 
(CIC) |CH88|[CP90| . However, we believe that the ideas presented in this paper 
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are general enough to easily be developed in other implementations of type the- 
ory, such as Martin-L6f type theor^ QCTL98l IML821 |NPS90| . so our presentation 
is mostly done in a type-theoretic agnostic way. 

Coq includes a compiler |GL02j based on OCaml's virtual machine to allow 
efficient evaluatiorj^ As a feasibility study, we have implemented Riemann 
integration. Our implementation is functional and structured in a monadic 
way. This structure greatly simplifies the integrated development of the program 
together with its correctness proof. 

In constructive analysis one approximates real numbers by rational, or dyadic 
numbers. Rational numbers, as opposed to the real numbers, can be represented 
exactly in a computer. The real numbers are the completion of the rationals. 
The completion construction can be organized in a monad, a familiar construct 



from functional programming (Section 2.8 1. This completion monad provides an 



efficient combination of proving and computing |O'C07j . In this paper, we use 
a similar technique: the integrable functions are in the completion of rational 
step functions (Section |3.1| , and the same monadic implementation is reused. 
Our contributions include: 



We show that the step functions form a monad itself (Section 3.2 1 that 



distributes over the completion monad (Section 3.9 ) 



• Using the applicative functor interface of the step function monad we lift 



functions and relations to step functions (Section 3.3 1 



Using combinators we also lift theorems to reason about these functions 



and relations on step functions (Section 4.6 1 



• We define both and L°° metrics on step functions (Section 3.51 and 



define integration on the completion of the space (Section 3.6 1 



We show how to embed uniformly continuous functions into this space in 



order to integrate them (Section 3.7 1 



We extend our definition of Riemann integral to a Stieltjes integral (Sec- 



tion 3.81 



1.1. Notation 

We will use traditional notation from functional programming for this paper. 
Thus fx will represent function application. We will typically use curried func- 
tions, so fxy will represent {fx)y, and / will have type X ^ Y ^ Z (meaning 
X ^{Y ^ Z)). 



^In particular wc do not believe that we make any essential use of impredicativity of 
propositions in Coq. 

■^We copy the conclusions from the benchmarks carried out in IGL02| :'...our reducer runs 
about as fast as OCaml's bytecode interpreter; the speed ratio varies between 1.4 and 0.95. 
Compiling the extracted Caml code with the OCaml native-code compiler results in speed 
ratios between 3.5 and 5.6, which is typical of the speed-ups obtained by going from bytecode 
interpretation to native-code generation.' 
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We will mostly gloss over details about equivalence relations for types. We 
will use X to represent the equivalence relation to be used with the types in 
question. We will use :=for defining functions and constants. 

We denote the type of the closed unit interval as [0, 1], and ]0, 1[ will be the 
type of the open interval. We denote the the open interval restricted to the 
rational numbers by ]0, l[q. 

2. Background 

2.1. Constructive mathematics and type theory 

We wish to use constructive reasoning because constructive proofs have a 
computational interpretation. For example, a constructive proof of (ys V ?A tells 
which of the two disjuncts hold. A proof of 3n : IM.Pn gives an explicit value for 
n that makes Pn hold. Most importantly, we have a functional interpretation 
of and V. A proof of Vn : N.3m : ¥!.Rnm is interpreted as a function with 
an argument n that returns an m paired with a proof of Rnm. A proof of ^(p, 
which is equal to (/p _L by definition, is a function taking an arbitrary proof 
of (/J to a proof of _L (false) — which means there should not be any proofs of ip. 

The connectives in constructive logic come equipped with their constructive 
rules of inference (given by natural deduction) |SU98) . Excluded middle {(pV—'ip) 
cannot be deduced in general, and proof by contradiction, ^^(p ^ tp, is also not 
provable in general. 

2.2. Dependently typed functional programming 

The functional interpretation of constructive deductions is given by the 
Curry-Howard isomorphism |SU98| . This isomorphism associates formulas with 
dependent types, and proofs of formulas with functional programs of the asso- 
ciated dependent types. For example, the identity function Aa; : A.x of type 
A ^ A represents a proof of the tautology A ^ A. Table [l] lists the association 
between logical connectives and type constructors. 



Logical Connective 


Type Constructor 


implication: 


function type: 


conjunction: A 


product type: x 


disjunction: V 


disjoint union type: + 


true: T 


unit type: () 


false: _L 


void type: 


for all: Vx.Px 


dependent fmiction type: Hx.Px 


exists: 3x.Px 


dependent pair type: Y,x.Px 



Table 1: The association between formulas and types given by the Curry-Howard isomorphism. 

In dependent type theory, functions from values to types are allowed. Using 
types parametrized by values, one can create dependent pair types, Sx : A.Px, 
and dependent function types, Hx : A.Px. A dependent pair consists of a value 



3 



X of type A and a value of type Px. The type of the second value depends on 
the first value, x. A dependent function is a function from the type A to the 
type Px. The type of the result depends on the value of the input. 

The association between logical connectives and types can be carried over to 
constructive mathematics. We associate mathematical structures, such as the 
natural numbers, with inductive types in functional programming languages. 
We associate atomic formulas with functions returning types. For example, we 
can define equality on the natural numbers, x =^ y, as a recursive function: 



=M 
Sx =iv[ 
=N Sy 
Sx =N Sy 



= T 

= _L 

= _L 

= X y 



One catch is that general recursion is not allowed when creating functions. The 
problem is that general recursion allows one to create a fixed-point operator, 
fix : {if ^ ip) ^ (p, that corresponds to a proof of a logical inconsistency. To 
prevent this, we allow only well-founded recursion over an argument with an 
inductive type. Because well-founded recursion ensures that functions always 
terminate, the language is not Turing complete. However, one can still express 
fast-growing functions, such as the Ackermann function, without difficulty by 
using higher-order functions |Tho91| . 

Because proofs and programs are written in the same language, we can 
freely mix the two. For example, in previous work |O'C07| . the real numbers 
are presented by the type 

3/ : Q+ ^ Q.Veie2.|/ei - /£2| < £i + £2- (1) 

A value of this type is a pair of a function / : => Q and a proof of 
Veie2-|/ei — /£2| < ei + 62- The idea is that a real number is represented 
by a function / that maps any requested precision e : Q"^ to a rational approx- 
imation of the real number. Not every function of type Q"*" ^ (Q represents a 
real number. Only those functions that have coherent approximations should 
be allowed. The proof object paired with / witnesses the fact that / has coher- 
ent approximations. This is one example of how mixing functions and formulas 
allows one to create precise data- types. 



2.3. Extensional Equality 

In this paper, we will use the equality sign {—) for extensional equality. 

Two functions /, g of the same type are considered extensionally equal when, for 
any input given to both functions, the outputs of the functions are extensionally 
equal: 

f = g ■.= \/a.f{a) = g{a). 

Two values of an inductive type are extensionally equal when their constructors 
are the same and all parameters are extensionally equal. 
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Extensional equality is the finest equality we will need. However, Coq uses 
a finer equality called intensional equality for its fundamental equality. 

Another sort of equality that we will frequently use is setoid equality (see 



Section 2.4 1, which is generally coarser than extensional equality. 



2.^. Setoids Instead of Quotients 

A quotient type is a type modulo a given equivalence relation on that type. 
For instance, the type Q is often considered as a quotient of the type K x N+. 
Coq does not have quotient types. One reason for this is that it would destroy 
the decidability of type checking. One instead passes around the equivalence 
relation in question. To do this, one often uses a data structure called a setoid, 
or a Bishop set |Bis67[ iHoaTl IBCP03] . A setoid {A, x^) is a type paired with 
an equivalence relation on that type. Functions between setoids that preserve 
their equivalence relations are called respectful. Proving that a function is 
respectful consists of the same work in traditional mathematics needed to prove 
that a function over quotients is well-defined. Respectful functions are also 
called morphisms. 

2.4-1- Rewrite Automation 

Coq supports reasoning about setoids through its tactics setoid_rewrite 
and setoid_replace [Coe04j . These tactics will automatically create the de- 
ductions for substitution of setoid equivalent terms into respectful functions and 
relations. This support makes reasoning about setoid equivalence almost as easy 
as reasoning about equality in Coq. 

Furthermore, Coq has the ability to define a database of rewrite lemmas. 
These lemmas have terms of the form a b for their conclusions. When they 
are added to the database the user indicates which way substitution should be 
performed (the same lemma can be added to different databases with different 
directions). The user can then use the database as a rewrite system to process a 
hypothesis or goal. The autorewrite <database> tactic will repeatedly try to 
use the lemmas in the named database to rewrite the goal. Well crafted rewrite 
databases can be used to quickly transform or simplify expressions. 

2.5. Metric spaces 

Traditionally, a metric space is defined as a set X with a metric function 
d : X X X ^ R'^"'" satisfying certain axioms. The usual constructive formulation 
requires d be a computable function. In previous work |0'CQ7] . it was useful 
to take a more relaxed definition for a metric space that does not require the 
metric be a function. A similar construction can be found in the work by Rich- 
man |Ric08| . Instead, the metric is represented via a (respectful) ball relation 
B : Q+ =4> X AT where 7k- is the type of propositions, satisfying five 

axioms: 

1. yxe.B^xx 

2. \fxye.B^xy B^yx 
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4. Wxye.{WS.e < S ^ Bgxy) B^xy 

5. yxy.{\fe.B^xy) a; x y 

The ball relation B^xy expresses that the points x and y are within e of each 
other. We call this a ball relationship because the partially applied relation 
B^x : X * is a predicate that represents the closed ball of radius e around 
the point x. 

For example, Q can be equipped with the usual metric by defining the ball 
relation as 

B'^xy := \x ~ y\ < e. 
This definition satisfies all the required axioms. 

2.6. Uniform continuity 

We are interested in the category of metric spaces with uniformly continuous 
functions between them. A function f : X ^ Y between two metric spaces is 
uniformly continuous with modulus /// : Q+ ^ Q+ if 

yxiX2e.B^^^xiX2 B^ {fxi){fx2). 

A function is uniformly continuous if it is uniformly continuous with some 
modulus. We use the notation X Y with a single bar arrow to denote the 
type of uniformly continuous functions from X to Y. This record type consists 
of three parts, a function / of type X ^ Y , a modulus of continuity, and a 
proof that / is uniformly continuous with the given modulus. We will leave 
the projection to the function type implicit and allow us to write fx when 
/ : A" — ^ y and x : X. Our definition of uniform continuity implies that the 
function is respectful. 

2.7. Monads 

Moggi |Mog89| recognized that many non-standard forms of computation 
may be modeled by monad^ Wadler }Wad92a] popularized their use in func- 
tional programming. Monads are now an established tool to structure com- 
putation with side-effects. For instance, programs with input X and output 
Y which have access to a mutable state S can be modeled as functions of 
type X X S ^ Y X S, OT equivalently X ^ (Y x S)^ . The type construc- 
tor DJIY := (Y X S)^ is an example of a monad. Similarly, partial functions 
may be modeled by maps X ^ Y±, where Y± := Y + () is a monad. The 
reader monad, DJtY :— Y^ , for passing an environment implicitly will play an 
important role in this paper. 



In category theory one would speak about the Kleisli category of a (strong) monad. 
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The formal definition of a (strong) monad is a triple (971, return, bind) con- 
sisting of a type constructor 9Jt and two functions: 

return : X ^ MX 
bind : {X MY) ^ MX ^ MY 

We will denote (returns) as i, and (bind/) as /. These two operations must 
satisfy the following laws: 

bind return a x a 

fa >i fa 
f{ga) X bind(/og)a 

Alternatively, we can define a (strong) monad using three functions: 
return : X =^ MX 
map : {X ^ Y) ^ {MX ^ MY) 

join : m(mx) ^ mx 

satisfying certain laws. These can be obtained from the previous presentation 
of a monad by defining 

map /to := bind(return o/)to 
join TO := Im. 

where I is the identity function. Conversely, given the (return, map, join) presen- 
tation we define 

bind/ := joino(map/). 

2.8. Completion monad 

The first monad that we will meet in this paper is O'Connor's completion 
monad £ |O'C07| . Given a metric space X, the completion of X is defined by 

€X := 3/ : (Q+ ^ XVeiEa-B^ (/ei)(/£2). 

The real numbers defined as the completion, R :— £Q, is exactly the type given 
in equation [T] 

The function return : X — > €.X is the embedding of a metric space in its 
completion. The function join : €{CX) — >■ <^X is half of this isomorphism 
between €{€X) and £X (with return being the other half). Finally, a uniformly 
continuous function f : X Y can be lifted to operate on complete metric 
spaces, map / : CX — €.Y. Uniformly continuity is essential in this definition 
of map. This means that £ is a monad on the category of metric spaces with 
uniformly continuous functions. One advantage of this approach is that it helps 
us to work with simple representations. To specify a function from R — R, 
one can simply define a uniformly continuous function / ; Q — > R, and then 
/ : R -> R is the required function. Hence, the completion monad allows us to 
do in a structured way what was already folklore in constructive mathematics: 
to work with simple, often decidable, approximations to continuous objects; see 
e.g. |Sch08j . 
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3. Informal Presentation of Riemann Integration 

In this section, we present our work in informal constructive mathematics. 
Everything presented here has been formahzed in Coq, except where otherwise 
noted. 

We will implement Riemann integration as follows: 

1. Define step functions; 

2. Introduce applicative functors and show that step functions form an ap- 
plicative functor; 

3. Show that the step functions form a metric space under both the and 

L°° norms; 

4. Define intcgrable functions as the completion of the step functions under 

the norm; 

5. Define integration first on step functions and lift it to operate on integrable 
functions; 

6. Define an injection from the uniformly continuous functions to the inte- 
grable functions in order to integrate them. 

At the end, we will see that it is natural to generalize our Riemann integral to 
a Stieltjes integral. 

3.1. Step functions 

Our first goal will be to define (formal) step functions and some important 
operations on them. For any type X, we first define the inductive data type 
of (rational) step functions from the unit interval to X, denoted by &X. A 
step function is either a constant function, const .t, for some x : X, or two step 
functions, / : &X and g : &X glued at a point in o, glue 0/5, where o must be 
a rational number strictly between and 1. We will sometimes write (const x) 
as X, and (glueo/g) as f t> o < g. 

Definition 1. The rules for constructing the inductive data type &: 

x:X o:(0,1)q / : 6(X) g : &{X) 

consta;:6(X) f > < g : e{X) 

The elements of this inductive type are intended to be interpreted as step 
functions on [0,1]. The interpretation of x is the constant fimction on [0,1] 
returning x. The interpretation of / > o < <? is / squeezed into the interval 
[0,0] and g squeezed into the interval [o, 1]. In this sense / and g are "glued" 
together. 

Even though we call step functions "functions" , they are not really functions, 
and we never formally interpret them as functions. They are a formal structure 
that takes the place of step functions from classical mathematics. It does not 
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/ ' ° 9 



f>o<g 



Figure 1: Given two step functions / and g, the step function f \> o < g is f squeezed into 
[0, o] and g squeezed into [o, 1]. 



matter that our informal interpretation of / > o < g is not well defined at o, 
because the step functions are intended for integration, not for evaluation at a 
point. 

One can see that this inductive type is a binary tree whose nodes hold data 
of type (0, 1)q, and whose leaves have type X. We work with an equivalence 
relation on this binary tree structure that identifies different ways of constructing 
the same step function. Informally, this is the equivalence relation induced by 
our interpretation; the formal equivalence relation is defined in Section |3.4[ 

We define two sorts of inverses to glue which we call left-split and right-split. 
Given / : &X and a : (0, 1)q we define left-split (written as / ► a : &X) and 
right-split (written as a -4 / : &X) as follows: 

Definition 2. 



X ► a :— 





(if a 


< 


o) 


fl 


(if a 




o) 


fl>-a<Ur^ fff ) 


(if a 


> 


o) 


(^ ^ /O > fEt < /. 


(if a 


< 


o) 


fr 


(if a 




o) 


< fr 


(if a 


> 


o) 



{fl> 0<\ fr) ► a 

a <x 

a< {fi\> o<\ fr) 



Informally, the left split (/ ► a) takes the portion of / on the interval [0, a] 
and scales it up to the full interval [0, 1]. The right split (a M f) does the same 
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thing for the portion of / on the interval [a, 1]. We have that 

(/ ► a) > a <] (a "4 /) X / 

holds, which means that gluing back the left and right pieces of a step func- 
tion split at a returns an equivalent function back. However, this process does 
not generally return an identical representation. The formal definition of the 
equivalence relation is defined later in Section [3. 4[ 

The inductive type for step functions has an associated catamorphism which 
we call fold. 

Definition 3. 

fold : {X ^Y)^ ((0, 1)q ^ Y ^ Y ^ Y) ^ 6X ^ Y 

fold (pipx := ipx 

fold ipip{f l> o <] g) ^"^(fold ipi/jf ){fo\d (fil^g). 

This fold operation is used in many places. For instance, it is used to define 



two metrics on step functions (Section 3.5 1 or to check whether a property holds 



globally on [0, 1] (Section 3.4). Not every fold respects the equivalence relation 
on step functions, so we need to prove that each fold instance we use respects 
the equivalence relation. 



3.2. Step functions form a monad 

The step function type constructor S forms a monad similar to the reader 
monad XX. X^^'^^ [Wad92b . The return of 6 is the constant function, map is 
defined in the obvious way using fold, and the join from &{&X) to &X is the 
formal variant of the join function from the reader monad, join fz := fzz, which 
considers a step function of step functions as a step function of two inputs and 
returns the step function of its diagonal: 

Definition 4. 

join/ := / 

join (/ [> o O g) :— join(map(Ax.a; ► o)/) t> o <l join(map(Aa;.o M x)g). 

Rather than use these monadic functions, we use the applicative functor 
interface to this monad. 



3.3. Applicative functors 

Let 9Jl be a strong monad. To lift a function / : X F to a function 
MX ^ MY, we use map : (X ^ F) ^ MX => MY. Lifting a function with 
two curried arguments is possible using a similar function map2. However, to 
avoid having to write a function map n for each natural number n, one can use 
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the theory of appUcative functors. An consists of a type constructor T and two 
functions: 



pure : X ^ %X 

ap : %{X ^Y)^%X^%Y 

The function pure hfts any value inside the functor. The ap function apphes a 
function inside the functor to a value inside the functor to produce a value inside 
the functor. We denote (purex) by x, as was done for monads, and we denote 
(ap/x) by /@a;. An applicative functor must satisfy the following laws |MP08j : 

I@w X V Identity 

B@u@u@w X u@{v@w) Composition 

f@x X fx Homomorphism 

u@y X ev^@u Interchange 

Where B and I are the composition and identity combinators respectively 



(see Section 4.5) and evj, := A/./y is the function which evaluates at y. 

Every strong monad induces the canonical applicative functor |MP08j where 

pure := return 

/@a; := bind(Ag. mapgx)/. 

As the name suggests, every applicative functor can be seen as a functor. Given 
an applicative functor we define map : [X ^Y) ^ IX ^ 1Y as 

map /x := f@x. 

When T is generated from a monad, this definition of map is equivalent to the 
definition of map associated with the monad. 

3.4- The step function applicative functor 

The ap function for step functions © applies a step function of functions to 
a step function of argument pointwise. It is formally defined as follows: 

Definition 5. 

f@x := fi^) 

f@{xi\>0<iXr) := if@Xl)\>0<i{f@!Xr) 

ifi t> a <i fr)@x := {fi@{xP-o))f>o<i{frM{o<4x)). 

For step functions ©, we denote (map/x) by fcfx. This notation is meant 
to suggest the similarity with the composition operation, which is the definition 
of map for the reader monad XX. X^'^-^^. 

Definition 6. The binary version of map is defined in terms of map and ap. 

map2 fab := fd'a@b. 
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Higher arity maps can be defined in a similar way; however, we found it 
more natural to simply use map and ap everywhere. 

We will often use map2 to lift infix operations. Because of this, we give it a 
special notation. 

Definition 7. // ® is some infix operator such that Xxy.x ® y : X ^ Y ^ Z , 
then we define 

f{®)g:= (Xxy.x ®y)d'f@g, 
where f : GX , g : &Y , and f {®) g : &Z. 

For example, if /, 5 : SQ are rational step functions, then / (— ) g is the 
pointwise difference between / and g as a rational step function. 

We can lift relations to step functions as well. A relation is simply a function 
to *, the type of propositions. Thus a binary relation cx has a type Xxy.x oc 
2/ : X y If we use map2, we end up with an function Xfg.f (oc) g : 

&X ^ &Y => &-k. The result is not a proposition, but rather a step function 
of propositions. Classically, this corresponds to a step function of Booleans. In 
other words, &* represents a type of step characteristic functions on [0, 1]. 

Each way of turning a characteristic function into a proposition determines a 
different kind of predicate lifting [Sch05| . For our purposes, we are interested in 
the one that asks the characteristic function to hold everywhere. The function 
fold^ : 6* -k does this by folding conjunction over a step function. 

Definition 8. fold* := fold (I, Xopq.p A q). 

When this function is composed with map2, the result lifts a relation to a 
relation on step functions. 

Definition 9. / {cx} 5 := fold*(/ (cx) 5). 

For example, we define equivalence on step functions by lifting the equiva- 
lence relation on X. 

Definition 10. / Xex / {^x} 5- 

Two step functions are equivalent if they are pointwise equivalent every- 
where. Similarly, we define a partial order on step functions by lifting the 
inequality relation on Q. 

Definition 11. / <eQ g := /{<q}5- 

A step function / is less than a step function 17 if / is pointwise less than g 
everywhere. 



12 



3. 5. Two m,etrics for step functions 

The step functions over the rational numbers, ©Q, form a metric space in 
two ways, with the L°° metric and the metric. We first define the two norms 
on the step functions. 

Definition 12. 

Il/lloo := foldsupCabscf/) 
ll/lli := foldaffineCabScf/) 

where 

foldsup := fold I(Aoa;y.maxa;t/) 
foldaffine := fold l{\oxy.ox + (1 - o)y) 

and abs : Q Q is the absolute value function on Q. 

The function foldgup : (3(Q => Q returns the supremum of the step function, 
while the function foldaffine : 6Q ^ Q returns the integral of a step function. 
Next, the metric distance between two step functions is defined. 

Definition 13. 

rf°°/5 := 11/ n slice 

d^fg ■■= \\n-)9\\i- 

Finally, the distance relations are defined in terms of the distance functions. 
Definition 14. 

Br<Q/g := d-/5<£ 
Bf^fg := d^fg<e. 

When we need to be clear which metric space is being used, we will use the 
notation 6°°Q or 6^Q. 

The two fold functions defined in this section are uniformly continuous for 
their respective metrics. 

foldsup : 6°°Q ^ Q 

foldaffine : ©^Q ->Q 

The identity function is uniformly continuous in one direction, l : ©°°Q — ©^Q; 
however, the other direction is not uniformly continuous. 

The metrics &°°X and can be defined for any metric space X: 

Bf^'^fg := fold.(Bfcf/%) 

Bffg := 3/i:6Q+.fold,,(B^cf/i@/%)A||/i||i<e 

We have implemented the generic 6°°X metric in our formalization. However, 
for the space, we have only implemented the specific ©^Q metric. 
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3. 6. Integrable functions and bounded functions 

The bounded functions and the integrable functions are defined as the com- 
pletion of the step functions under the L°° and the metrics respectively. 



Definition 15. 



<B := €o6°° 
3 := €oe\ 



In Section 3.1 we informally interpreted elements of &X as (partially de- 
fined) functions on [0, 1]. Similarly, we can informally interpret each bounded 
function as a (partially defined) function. Consider / : SQ. Define := / (^). 
Then lim g„(x) exists for all points x in [0, 1] except perhaps for the (ratio- 

nal) splitting points of the step functions gn . At the points where this limit is 
defined, it is (classically) continuous. 

To every Riemann integrable function on [0, 1] we can associate an element 
in 3(Q. Moreover, functions / and g such that J \ f — g\ will be assigned to 
equivalent elements in 3Q . This definition can be extended to every generalized 
Riemann integrable function, where a function h is generalized Riemann inte- 
grable if hn := max (min/in) (— f^) is integrable for each n and the limit of/ /i„ 
converges (even though /i„ may not converge pointwise everywhere) . Conversely, 
we can informally interpret every element / of 3(Q as a generalized Riemann 
integrable function. Define g„ as the sequence 

By the fundamental lemma of integration |Lan93) , gn converges pointwise almost 
everywhere. Let g be this pointwise limit. Then g is a, generalized Riemann 
integrable function associated with /. 

The bounded functions have a supremum operation, sup : — >■ R and, 
similarly, the integrable functions have an integration operation, J : HQ — >■ R 
which are defined by lifting the two folds from the previous section. 

Definition 16. 

sup/ := mapg-foldsLip / 
/ := mape-foldaffinc/ 



There is an injection from the bounded functions into the integrable functions 
defined by lifting the injection on step functions: mapt : *8(Q — Of(Q. However, 
there is no injection from integrable functions to bounded functions. Thus 
bounded functions can be integrated, but integrable functions may not have a 
supremum. 
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3.1. Riemann integral 

The process for integrating a function is as follows. Given a function /, one 
needs to find an equivalent representation of / as an integrable function and then 
this integrable function can be integrated. We will consider how to integrate 
uniformly continuous functions on [0, 1], which is a useful class of functions to 
integrate. 

We convert a uniformly continuous function to an integrable function by a 
two step process. First, we will convert it to a bounded function, and then the 
bounded function can be converted to an integrable function using the injection 
defined in the previous section. 

To produce a bounded function, one needs to create a step function that 
approximates / within e for any value e : Q"*". The usual way of doing this is 
to create a step function where each step has width no more than 2 (pje). The 
value at each step is taken by sampling the function at the center of the step. 




Figure 2: Given a uniformly continuous function / and a step function S4 that approximates 
the identity function, the step function (map/s4) (or f<fS4) approximates / in the familiar 
Riemann way. 



When developing the above, it became clear that one can achieve the desired 
result by creating a step function whose values are the sample inputs, and 



then mapping / over these "sampling step-functions" (see Figure 3.7). In fact, 
the limit of these "sampling step-functions" is simply the identity function on 
[0,1] represented as a bounded function, I[o^i] : (see Section 4.7). Given 



any uniformly continuous function / : Q — >■ (Q, we can prove that mapgoc / : 
6°°(Q — > (3°°Q is uniformly continuous. We can then lift again to operate on 
bounded functions, map^ (mapgoc /) : *8Q — ?> *8Q. Applying this to I[o,i] yields 
/ restricted to [0, 1] as a bounded function, which can then be converted to an 
integrable function and integrated. 

Definition 17. /j^ -^j / := / (mapg. l {map^ (mapgoc /) I[o,i])) • 

With a small modification, this process will also work for / : Q ^ R. 
In this case map/ has type 6Q => (3R, Fortunately, there is an injection 
dist : (5R => *BQ, that interprets a step function of real values as a bounded 



function (see Definition 20 ). We can prove that the composition dist o(mapg /) : 
(3°°(Q — >■ *S(Q is uniformly continuous. Then, proceeding in a similar fashion, 
this can be lifted with bind and applied to I[o.i] to yield / restricted to [0, 1] as 
a bounded function, which can then be integrated. 
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Definition 18. /[g ij / •= / (maPc (bindc (dist o(map@ /)) I[o,i])) • 

An arbitrary uniformly continuous function / : R — >■ R can be integrated 
on [0, 1] by integrating / o returriir : Q — > R because the Riemann integral only 
depends on the value of functions at rational points. 

3.8. Stieltjes integral 

Given the previous presentation, any bounded function could be used in 
place of I[o,i]- A natural question arises: what happens when I[o,i] is replaced 
by another bounded function, g : *BQ? An analysis shows that the result is the 
Stieltjes integral with respect to g^^, when g is non-decreasing. 

Definition 19. J fdg^^ := J (mapij t (binde (disto (mapg /)) g)). 

We never intended to develop the Stieltjes integral; however, it practically 
falls out of our work for free. This is not quite as general as the Stieltjes integral 
for three reasons. Because g is defined on [0, 1], this means that g~^'s range must 
go from to 1. Essentially, g~^ must be a cumulative distribution function and, 
hence, g is a quantile function. Secondly, because 5 is a bounded function, g~^ 
must have compact support (meaning g~^ must be to the left of its support 
and 1 to the right of its support). Thirdly, our bounded functions can only have 
discontinuities at rational points. 

We have tried to allow g to be an arbitrary integrable function (this would 
remove some of the previous restrictions); however, we have been unable to 
constructively show that disto(map@ /) : 6^(Q ^ 3Q is uniformly continuous 
when / is. We have generated counterexamples where / is uniformly continuous 
with modulus fj, and disto(mapg /) is not uniformly continuous with modulus 
fi; however, for our particular counterexamples, disto(mapg /) is still uniformly 
continuous with a different modulus. 

Still, our integral should allow one to integrate with respect to some inter- 
esting distributions such as the Dirac distribution and the Cantor distribution. 

3.9. Distributing monads 

The function dist : ©R =^ combines two monads on metric spaces, £ and 
&. The function dist has type (3(£Q) £((3Q). In general, the composition 
of two monads 9Jt o 9T forms a monad when there is a distribution function 



dist : m{miX) ~> mi{mX) satisfying certain l aws |Bec69[ IBW05] . Below we 
state the laws in a more familiar function style IJD93j : F] 



^For the © and £ monads, we formally checked all of these rules apart from the last one 
which was too tedious; however, the correctness of the integral does not depend on the proofs 
of these laws. 



disto mapyj (mapgj; /) 
disto returrifn 
dist o mapry^ returngj; 
prod o maprrj dorp 



mapgr,^ (mapcj, /) o dist 
mapgr)^ returrif^ 

ret ur Pot 
dorp o prod 
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where 



prod := mapgrii joirirrj o dist 
dorp := joirifjjj o mapgjj dist . 



Definition 20. In our case, the distribution function is defined as 

dist : ©°° (CX) ^ g:(6°°X) 
dist/ := Ae. mapgoo (Ax.xe) /. 

The function dist maps a step function / with values in the completion of X 
to a collection of approximations : &°°X to the function / such that for all 
e in Q + , 1/ - /el < e "pointwise". 



4. Implementation in Coq 

In this section, we treat aspects related to our implementation in Coq. 

4-.1. Formalization in Coq 

Formalizing the previous in Coq is done in a straightforward manner. We 
interpret * as Prop, the universe of propositions. Thus, for example, the ball 
relation on rational numbers has type Qball : Qpos -> Q -> Q -> Prop. 

The metric space structure is packaged up as a dependent record, a S-type. 
This record contains a field for the domain of the metric space, which is a setoid, 
a ball relation over that domain with a proof that the ball relation respects the 
equivalence relation of the domain. Lastly the record contains a collection of 



proofs of the five axioms of a metric space (see Section 2.51 which are themselves 
packed into their own record type. 

The completion monad is a function from the record type of metric spaces 
to the record type of metric spaces. In Section [2. 8| the domain of the completion 
is given with an existential quantifier. We use Coq's Set based existential 
quantifier (essentially a S-type) to implement this quantifier. 

As a rule, we use Prop based objects only for types that would (extensionally) 
have at most one value, these are essentially the Harrop formulas |CFS03| . Thus 
negative types such as function types/implications whose result type is _L or T 
go into the Prop universe, and all other types are put into the Set or Type 
universes. We chose to have the ball relation return Prop because the closed 
sets are typically negative predicates. 

Step functions are represented by an inductive data type which is effectively 
a labeled binary tree. The Coq declaration for this structure is the following: 

Inductive StepF : Type:= 
IconstStepF : X -> StepF 

I glue : DpenUnit -> StepF -> StepF -> StepF 
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Record is_MetricSpace (X : Setoid) (B : Qpos -> relation X):Prop := 
{ msp_refl: forall e, reflexive _ (B e) 
; msp_sym: forall e, symmetric _ (B e) 

; msp_triangle : forall el e2 a b c, B el a b -> B e2 b c -> 

B (el + e2)y.Qpos a c 
; msp_closed: forall e a b, (forall d, B(e+d)7oQpos a b)->B e a b 
; msp_eq: forall a b, (forall e, B e a b) -> st_eq a b 
>. 

Record MetricSpace : Type := 
{ msp_is_setoid :> Setoid 

; ball : Qpos -> msp_is_setoid -> msp_is_setoid -> Prop 
; ball_wd : forall (el e2:qpos), (QposEq el e2) -> 

forall xl x2, (st_eq xl x2) -> 

forall yl y2, (st_eq yl y2) -> 

(ball el xl yl <-> ball e2 x2 y2) 
; msp : is_MetricSpace msp_is_setoid ball 
>. 



Figure 3: The formal definition of a metric space as a dependent record. 

Lemma Integrate01_correct : forall F (HOI : Zero [<=] (One : IR) ) 
(HF:Continuous_l HOI F) (f : Q_as_MetricSpace — > CR) , 
(forall (o:Q) H, (0 <= o <= l)-> 
(f o == IRasCR (F (inj_Q IR o) H)))y.CR -> 
(IRasCR (integral Zero One HOI F HF)==Integrate01 f)7.CR. 



Figure 4: The theorem stating that our definition of integral is correct. 



Eventually we defined the intended equivalence relation on step functions 



(see Section 3.4 1 as a binary predicate, but first we define the split (Section 4.2 1 



and basic applicative functor functions. For example, Ap is defined as: 

Fixpoint Ap (X Y:Type) (f :StepF (X->Y) ) (a: StepF X):StepF Y := 
match f with 

IconstStepF fO => Map fO a 

Iglue o fO fl=>let (l,r):=Split a o in (glue o(Ap fO 1) (Ap fl r)) 
end. 

We created proofs of the various laws and relationships between our def- 
initions. This cumulates with an ultimate proof that our definition of inte- 
gration coincides with a previous reference implementation from the CoRN li- 
brary [CF03] : 

Loosely speaking this says "for any function F over CoRN's real number 
which is continuous on [0, 1] and for any function f from the rationals to our 
real numbers that agrees with F for rational inputs between and 1, then 
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CoRN's integral of F over [0, 1] is equivalent to our integral of f . The proof of 
this lemma is 300 lines long and mostly consists of translating facts about the 
fast implementation of the reals to the C-CoRN library and vice versa. The 
actual proof is quite general because it only uses certain general properties of 
the integral, such as linearity and monotonicity. 

As a by-product of our development, we can also compute the supremum of 
any uniformly continuous function on [0, 1]. 

This has been a small glimpse into our Coq development. For full details 
there is no better source than the source; see (http://c-corn.cs.ru.nl). 



4.2. Glue and split 

As discussed in Section [4. 1[ step functions are an inductive structure defined 
by two constructors. One constructor creates constant step functions, and the 
other constructor, glue, squeezes two step functions together, joining them 
together at a given point o : (0, 1)(Q. One of the first operations we defined on 
step functions (after defining fold) was Split, which is like the opposite of glue. 
Recall from Section 3.1 that, given a step function / and a point a : (0,1)q, 



Split splits / into two pieces at a. The functions SplitL and SplitR return 
the left step function and the right step function respectively. Table [2] lists the 
association between our mathematical notation and the concrete syntax used in 
Coq. 



Mathematical Notation 


Coq Syntax 


X 


constStepF x 


f [> o<\g 


glue f g 


f P-a 


SplitL f a 


a< f 


SplitR f a 




Split f a 



Table 2: The concrete syntax used in Coq for our stop function notation. 

The key to reasoning about Split was to prove the Split-Split lemmas: 

ab^ c ^ f>-aP-b:xf^c 

a + b — ab ^ c => b<a-^f^c<f 
a + b-ab^c=^dc = a =^ {a M f) >■ b x d M {f >■ c) 

This collection of lemmas shows how the splits combine and distribute over each 
other. With sufficient case analysis, one can prove the above lemmas. These 
lemmas, combined with a few other useful lemmas (such as Split-Map lemmas) 
provided enough support to prove the laws for applicative functors without 
difficulty. 

4.3. Equivalence of step functions 

The work in the previous section defined an applicative functor of step func- 
tions over any type X. From this point on, we will require that X be a setoid 



19 



(see Section 3.4). In order to help facilitate this, in our development we define 
new functions, constStepF, glue. Split, etc., that operate on step functions 
of setoids rather than step functions of types. These functions are definitionally 
equal to the previous functions, but their types now carry the setoid relation 
from their argument types to their result types. These new function names 
shadow the old function names, and the lemmas about them need to be re- 
peated; however, their proofs are trivial by using previous proofs. 

Perhaps the biggest challenge we encountered in our formalization was to 
prove that lifting setoid equivalence to step functions (Section 3.3 1 is indeed 
an equivalence relation — in particular showing that it is transitive. We even- 
tually succeeded after creating some lemmas about the interaction between the 
equivalence relation and Split, etc. 



4-4- Common partitions 

When reasoning about two (or more) step functions, it is common to split 
up one of the step functions so that it shares the same partition structure 
as the other step function. This allows one to do induction over two step 
functions and have both step functions decompose the same way. Eventu- 
ally, we abstracted this pattern of reasoning into an induction-like principle. 

Lemma StepF_ind2: 

vjfy.v* : X ^ Y ^ *. 

(VsQSito*! : &X.sa X si to X ti 'I'soto 'tsiti ) 
(Va; : X.Vy : Y. * £ y ) ^ 

(VO : (0, l)iQ.VSiSr : eX.Vtitr : eF.*Siti =^ ^Srtr ^ * Si > O < Sr ti > O < ) ^ 

Vs : ex.vt : eY. * s t 

This lemma may look complex, but it is as easy to use in Coq as an induction 
principle for an inductive family. Normally one would reason about two step 
functions by assuming, without loss of generality, that they have a common 
partition, then doing induction over that partition. Our lemma above combines 
these two steps into one. In one step, one does induction as if the two functions 
have a common partition. This lemma was inspired by McBride and McKinna's 
work on views in dependent type theory |MM04j. It allows one to "view" two 
step functions as having a common partition. 

The lemma is used by applying it to a goal of the form for all (s t : 
StepF X) , <expr> , which can be created by generalizing two step functions. 
There are only two cases to consider. One case is when s and t are both constant 
step functions. The other case is when s and t are each glued together from 
two step functions at the same point. There is, however, a side condition to 
be proved. One has to show that <expr> respects the equivalence relation on 
step functions for s and t. Fortunately, <expr> is typically constructed from 
respectful functions, and proving this side condition is easy. 

For example, we used this lemma in the proof that foldaffino is additive. 

Theorem 1. For all step functions f,g : 6(Q, 

foldaffino / + foldaffinc 9 = foldaffi„e(/ (+) ff) 
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Proof The predicate A/g.foldaffinc / + foldaffino foldaffine(/ (+) 5) is a re- 
spectful predicate because foldaffino and addition are respectful functions. There- 
fore, we can apply StepF_ind2. There are only two cases to consider. 

The first case is when f = x and g = y. In this case, the problem reduces 
to x + y = x + y after evaluating foldaffine and x {+) y. 

The second case is when f — fi \> o <\ fr and g = gi \> o <\ Qr- In this case, 
the problem reduces to 

0(f0ldaffinc // + foldaffine 5/) + (1 ^ o)(foldaffino fr + foldaffinc ffr) 
o(foldaffi„c(/i (+) gi) + (1 - o) (foldaffine (/r (+) ffr)) 

after evaluation. This then follows from the inductive hypothesis. □ 

This induction lemma was also very useful for proving the combinator equa- 
tions in Section l475l 

The proof of StepF_ind2 is not very difficult. 

Proof Suppose 5* is a respectful binary predicate on step functions. Suppose it 
also satisfies the two other hypothesis of the lemma. We need to show Vsi, '^st. 
We proceed first by induction on s. 

Consider the case when s — x. Now we do induction on t. Consider the case 
when t — y. This is exactly the situation of our first hypothesis, so we are done. 
Consider the case when t = ti \> o <l tr. Wc need to prove 'ifx{ti \> o <i U) 
assuming that '^xti and 'i'xtr both hold. We know that (a? ► o) > o < (o J) x 
X holds, and because is respectful we can replace x using this equivalence. 
Also X ► o and o -4 a; both reduce to x by evaluation. This leaves us with 
needing to show '${x \> o O x){ti \> o <l tr). This follows from our second 
hypothesis and our two inductive hypotheses. 

Now consider the case when s = si l> o <l Sr- We need to prove V<.5'(s;s; [> 
o <l Sr)t assuming that Vt.'ifsit and Vt.'i'Srt. Again, we know that ► o) [> 
o <l (o -4 t) X i holds, and because is respectful we can replace t using this 
equivalence. The proof proceeds similar to before. □ 



4-. 5. Combinators 

The combinators B and I are preserved by every applicative functor (see 



Section 3.3 ). For the applicative functor 6, all lambda expressions are preserved. 
To show this, it is sufficient to show that each of the BCKW combinators are 
preserved. These are the combinators defined by: 

• B/^x :— f{gx) (compose) 

• Cfxy := fyx (interchange) 

• Ix :^ X (identity) 

• K.xy :— X (discard) 
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• "Wfx := fxx (duplicate) 

The identity combinator is redundant because I x WK, but it is still useful. 

All lambda expressions can be rewritten in a "point free" form using these 
combinators. Using combinators allows us to reason about the lambda calculus 
without worrying about binders, which are notoriously difficult to do by hand. 
In fact, it is one of the main issues in the POPLmark challenge |ABF+05| . 

Theorem 2. The combinators, CKW, are preserved by the (3 monad. 

Cd'f@x@y f@y@x 
Kd'x@y >iex x 
Wcr/@x xex f@x@x 

This means that we can lift any function definable with the A-calculus to 
step functions. 

4-.6. Lifting theorems 

During our development, we often needed to prove statements like the tran- 
sitivity of the order relation on the step functions: 

yfgh:&<^.f{<^}g^g{<^)h^f{<^}h 

We would like to deduce this statement from the transitivity of the correspond- 
ing pointwise relation: 

\/xyz : Q.x <iQ y ^ y <q z ^ x <q z 

First, we use a lemma that lifts universal statements about an arbitrary predi- 
cate R: X^Y^Z^-k to a. universal statement about step functions: 

(Va; : X.Vy : y.Vz : Z.Rxyz) ^ V/ : &X\Jg : eY.\/h : &ZJo\d4Rd' f@g@h) 

This yields 

Vfgh : eQ.Md^iiXxyz.x <q y =^ ?y <q z x <q z)d'f@g@h). 

Next, we would like to "evaluate" the lambda expression as "applied" to the step 
functions /, and h. Because /, and h are variables, we need to symbolically 
evaluate the expression. We avoid dealing with binders by converting the lambda 
expression into the combinator expression 

S(BS(B(B(BB(^)))(<q)))(B(C(BS(B(B(^))(<<q))))(<q))<^/%@/i, 

where S := B(B(BW)C)(BB) and and {<q) are prefix versions of these 
infix functions. This substitution is sound because the combinator term and 
lambda expression can easily be shown to be extensionally equivalent (by nor- 
malization), and map and ap are well-defined with respect to extensional equal- 
ity. 
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We found the required combinator form by using lambdabot |BJ06j . a stan- 
dard tool for Haskell programmers. It would have been interesting to implement 
the algorithm for finding the combinator form of a lambda term in Coq; however, 
this was not the aim of our current research. 

Now that the lambda term is expressed in combinator form, we can repeat- 
edly apply the combinator equations from Section |3.3| and Section |4.5| These 
equations are exactly the rules of "evaluation" of this expression "applied" to 
step functions. We put these equations into a database of rewrite rules and used 
Coq's autorewrite system as part of a small custom tactic to automatically 
reduce this entire expression in one command, yielding 

yfgh : 6Q. fold^/ (<<q) g {=>) g (<q) h (^) / (<<q) h). 

Finally, we push the fold^ inside. To do so, we have proved a lemma which 
allows us to distribute implication over fold*: 

yPQ : ©^.(fold^P {=>) Q)) ^ fold* P ^ fold* Q 

Repeated application of this lemma yields 

yfgh:&(^.f{<^)g^g{<^}h^f{<Q)h 

as required. 



^.7. The Identity Bounded Function 

In order to integrate uniformly continuous functions, we compose them with 
the identity bounded function to create a bounded function that can be inte- 
grated (see Section 3.7 1. This requires defining the identity bounded function 
on [0,1]. 

The bounded functions are the completion of step functions under the L°° 
metric. To create a bounded function, we need to generate a step function within 
£ of the identity function for every e : Q"*'. The number of steps used in the 
approximation will determine the number of samples of the continuous function 
/ that will be used. For efficiency, we want the approximation to have the 
fewest number of steps possible. Therefore, we defined a function stepSample : 
positive ©Q, where positive is the binary positive natural numbers, such 
that StepSample?^ produces the best approximation of the identity function 
with n steps. 

It is unfortunate that the width of each step is computed during integration, 
because we know that the result will always be equivalent to ^ for these partic- 
ular step functions. Perhaps some other data structure for step functions could 
be used that explicitly stores the length of each step. However, the time spent 
computing the length of the interval is usually much smaller that the time it 
takes to sample the continuous function /. 
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Function 


Time 


(answer 3 (IntegrateOl Cunit)) 


0.18s 


(answer 2 (IntegrateOl cos_uc)) 


0.52s 


(answer 3 (IntegrateOl cos_uc)) 


8.55s 


(answer 3 (IntegrateOl sin_uc)) 


7.48s 



Table 3: Time Eval vm_compute in ... carries out the reduction using Coq's virtual machine. 
The expression answer n asks for an answer to within 10^". All computations where carried 
out on an IBM Thinkpad X41. 

4-. 8. Timings 

The version of Riemann integration that we implemented apphes to general 
continuous functions and hence has bad complexity behavior. If we knew more 
about the function, for instance if it is diffcrcntiable, faster algorithms could be 
used |Eda99j . 

When extracted to OCaml, the functions run approximately five times faster 
when compiled and optimized. 

5. Future and related work 

Many optimizations are possible. Most time is spend on evaluating the 
function at many points, as can be seen by comparing the timings for the sin 
function and the identity function (CUnit) which have the same modulus of 
continuity and hence the same partition. 

Some ways of speeding up the computation of these functions are discussed 
in [O'C08a| . Most notable are: 

• the use of dyadic rationals; 

• the use of machine integers, (which will enter Coq in the near future); 

• the use of forward propagation of errors instead of our a priori estimates 
of convergence BK09^; 

• the use of parallelism. Our use of maps and folds makes it easy to run the 
algorithm in parallel. In fact, adding parallelism to the extacted O'Caml 
code by hand speeds up the evalutation by a factor three on a four proces- 
sor machine. This only required making a single function, DistrComplete 
(a fold), be evaluated in parallel. 

We hope that the technology of parallel functional programming will in- 
cluded in Coq in the future. 

Because of the way that we have defined uniform continuity, one modulus of 
continuity applies to an entire function. Even for those parts of the domain 
where the function changes slowly, we still must approximate the input to the 
same precision that is needed for those parts where the function changes quickly. 
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This reduces performance somewhat for evaluation of these functions (at the 
segments where the function changes slowly), but this causes particularly bad 
performance for integration. 

Because we only have a global modulus of continuity, we must use uniform 
partitions when creating an integrable function from a uniformly continuous 
function. This means that the function is sampled just as often where the 
function changes slowly as where the function changes quickly. This uniform 
sampling can be quite expensive for integration. 

There is some potential to increase efficiency by using a "non-uniform" def- 
inition of uniform continuity. That is to say, using a definition of uniform 
continuity that allows different segments of the domain to have local moduli 
associated with them. Ulrich Berger uses such a definition of uniform continu- 
ity to define integration |Ber09j . Simpson also defines an integration algorithm 
that uses a local modulus for a function that is computed directly from the def- 
inition of the function |Sim98| . However, implementing his algorithm directly 
in Coq is not possible because it relies on bar induction, which is not available 
in Coq unless one adds an axiom such as bar induction to it or one treats the 
real numbers as a formal space |Sam87j |Bau08j . 

The constructive real numbers have already been used to provide a semi- 
decision procedure for inequalities of real numbers. Not only for the construc- 
tive real numbers, but also for the non-computational real numbers in the Coq 
standard library |KO08| . The same technique can be applied here. 

Previously, the CoRN project |CFGW04] showed that the formalization of 
constructive analysis in a type theory is feasible. However, the extraction of 
programs from such developments is difficult [CFS03| . On the contrary, in the 
present article we have shown that if one takes an algorithmic attitude from the 
start it is possible to obtain feasible programs. 

6. Conclusions 

We have implemented Riemann integration in constructive mathematics 
based on type theory. Type checking guarantees that the implementation meets 
its formal specification. The use of the completion and the step function monads 
helped to structure the program/proof, as did the use of applicative functors. 

Building on the previous implementation of the completion of a metric 
space |O'C08aj and the library |CF04j . the current implementation was com- 
pleted in four man-months. The program/proof consists of 1155 lines of specifi- 
cations, 3380 lines of proof, and 170,137 total characters. The size of the gzipped 
tarball (gzip -9) of all the source files is 37,039 bytes, which is an estimate of 
the information content. 

Together with the work in |O'C07[ IO'C08a[ IO'C08bl . the current project 
may be seen as the beginning of the realization of Bishop's program to use 
constructive mathematics, based on type theory, as a programming language 
for exact analysis. 
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